Page History

...

This noncompliant code example logs the exception and wraps it in an unchecked a more general exception before re-throwing it.

...

While this exception is less likely to leak useful information than previous noncompliant code examples, it still reveals that the specified file cannot be read. More specifically, the program reacts differently to nonexistent file paths than it does to valid ones, and an attacker can still infer sensitive information about the file system from this program's behavior. Failure to restrict user input leaves the system vulnerable to a brute force attack in which the attacker discovers valid file names with repeated by issuing queries that collectively cover the space of possible file names; queries that result in the sanitized message exclude the requested file, the remaining possibilities represent the actual . Filenames that cause the program to return the sanitized exception indicate nonexistent files, filenames that don't, reveal existing files.

Compliant Solution (Canonicalization)

...

Compliant solutions must ensure that security exceptions such as java.security.AccessControlException and java.lang.SecurityException continue to be logged and sanitized appropriately. See rule ERR07-J. Prevent exceptions while logging data for additional information. The MyExceptionReporter class from rule ERR00-J. Do not suppress or ignore checked exceptions demonstrates an acceptable approach for this logging and sanitization.

For scalablity, the switch statement should be replaced with some sort of mapping from integers to valid file names, or at least an enum type representing valid files.

Risk Assessment

Exceptions may inadvertently reveal sensitive information unless care is taken to limit the information disclosure.

...

...

...